原文：Hack Tibet--Welcome to Dharamsala, ground zero in China's cyberwar.
作者：Jonanthan Kaiman 发表于2013年12月4日
译者：推友 @yuhui926 译于2013年12月11日
达兰萨拉，印度—洛桑西绕嘉措（Lobsang Gyatso Sither）坐在一所图伯特学校礼堂的前面，来自他幻灯演示(PPT)的矩形光线微弱地照亮了他面前的数排学生。“除非你知道会收到附件，否则绝不要打开，”西绕说。学生们点头。讲台上挂着达赖喇嘛的肖像，肖像四周由摇曳的电子蜡烛围着；一只流浪犬在人群后漫步。“绝不要把密码给任何人，”西绕说，并点击下一张幻灯片，上面讲解了使用陌生U盘的危险。“中国政府或其他人可能会控制你的电脑。”
图伯特流亡政府一半以上的电脑都含有某种恶意软件，新闻官员次仁旺久（Tsering Wangchuk）推测藏人行政中央一半以上的电脑都含有某种恶意软件，“达兰萨拉的多数重要电脑都被入侵了，”他说。13位政府技术人员花费大量时间，仅仅只是检查硬盘，寻找并删除恶意代码。“他们一直在警觉地追着我们，” 另一位要求匿名的政府职员说。“假如十万次尝试中他们成功了一次，他们便会乘此机会掠夺一切可能的信息。”
Walton说，许多设在达兰萨拉的图伯特非政府组织，都曾经被闻名于入侵西方公司、军商和政府部门的网络团体袭击。其中被美国麦迪安网络安全公司代号为“APT1”的团体，是一个附属于中国军队的精英网络间谍组织。另一个团体被网络安全公司赛门铁克公司予以代号“Nitro”, 据传曾在2011年盗窃全球大化学公司的秘密文件。“最悲观的看法是，流亡的图伯特人能做的微乎其微，因为他们资源贫瘠，”Walton说。“假如实际情况是连美国国务院五角大楼都被相同的网络团体所攻击，那么喜马拉雅山麓的难民们有什么解决这个问题的希望呢？”他描述来自中国的“高级持续威胁”（APT)）策略如同汇集 “千粒沙,” 当中的一些信息，无论多小，都将是具有战略价值的。
也许对图伯特的网络安全更有害的威胁来自微信——一个包括Instagram, Skype和 Facebook特点的中国智能手机应用程序。其用户超过五亿，其中一亿在中国境外；作为难民联系家人的简捷方式，它近几年在达兰萨拉极为流行。“我这里所有的朋友都用微信，” 一位穿越喜马拉雅山脉逃到印度的22岁难民扎西朗杰（Tashi Nangyal）说。“因为在境内的图伯特族人们都在使用微信，我们没有想过使用别的。”
Welcome to Dharamsala, ground zero in China's cyberwar.
BY JONATHAN KAIMAN DECEMBER 4, 2013
DHARAMSALA, India — Lobsang Gyatso Sither sits at the front of a Tibetan school auditorium, the bright rectangle of his PowerPoint presentation dimly illuminating the first few rows of students before him. "Never open attachments unless you are expecting them," Sither says. The students nod. A portrait of the Dalai Lama hangs above the stage, framed by flickering electronic candles; a stray dog ambles behind the crowd. "Never give anyone else your passwords," Sither says, clicking to a new slide, which explains the dangers of using an unfamiliar thumb drive. "The Chinese government or others could take control of your computer."
Welcome to Dharamsala, population 20,000 and one of the most hacked places in the world. This small city in India's lush Himalayan foothills is home to the Dalai Lama, the exiled Tibetan spiritual leader; the Central Tibetan Administration, or CTA (formerly called the Tibetan government in exile); and a host of Tibetan media outlets and nongovernmental organizations, some of which the Chinese government classifies as terrorist groups. The Dalai Lama fled here in 1959 after communist troops violently suppressed an uprising in Lhasa, now the capital of western China's Tibetan Autonomous Region. India embraced the Dalai Lama as a token of religious diversity, and tens of thousands of refugees followed suit. About 130,000 Tibetans live in exile, according to a 2009 census; Dharamsala is the closest thing they have to a political capital.
The city has an ancient feel. Homes cling to precipitous mountain roads that weave through dense cedar forests; macaque monkeys prance among the rooftops. Yet it is changing, moving cautiously into the future. Computers have become ubiquitous. Roadside cafes offer double espressos and wireless Internet (common passwords include "FreeTibet" and "Independence"). Young Tibetans are snapping up iPhones, which, unlike competing devices, offer the option of a Tibetan-language keyboard.
Communication between the city's Tibetan community and Tibet itself is easier than it has ever been. Yet the risk of dialing home has never been greater. "If we don't use secure lines of communication, Tibetans in Tibet could be prosecuted" for sending sensitive information abroad, says Sither, a field coordinator for the Tibet Action Institute, a New York-based nonprofit that sponsors education initiatives and trains activists on secure communications systems.
The Chinese government is everywhere and nowhere in Dharamsala, planting malware and intercepting messages in ways that are nearly undetectable and difficult to trace. The CTA's Chinese-language website was hacked in August. Everyone within the Tibetan community is a target, from the Dalai Lama's advisors to any smartphone-wielding refugee.
In early November, Tibet's Communist Party chief, Chen Quanguo, proposed a raft of measures to stamp out the Dalai Lama's voice in Tibet, including clamping down on online communications. "Work hard to ensure … that the voice and image of the enemy forces and the Dalai clique are neither seen nor heard," he wrote in Qiushi, a leading party journal.
A brutal, centuries-old form of protest has caught fire in Tibet, and Beijing is resorting to tactics both heavy-handed and high-tech to quell the unrest. Since February 2009, at least 120 Tibetans in the Himalayan region have self-immolated to protest Chinese rule -- men and women, old and young, monks and lay people. Chinese authorities have responded violently, deploying troops, cutting phone lines, and forcing monks to undergo draconian "patriotic education" programs. They blame "hostile foreign forces" for inciting the immolations -- mainly from Dharamsala, where advocacy groups gather information about the fiery protests and distribute that information abroad. Experts say that the hacks may be part of an elaborate campaign to identify possible protests and preempt them.
Few cyberattacks on Dharamsala are strategically tailored to monitor or control the city's network infrastructure, say experts. The most common attacks are spearphishing attempts: Tibetans, especially those working for the CTA or pro-independence organizations, say they frequently receive strange emails purporting to be from friends or associates. They often contain attachments that, once downloaded, infect the user's computer with malware, allowing a hacker to operate the system remotely. The computer essentially becomes shared; keystrokes are recorded, passwords saved, contacts downloaded. Everything is compromised.
Kelsang Aukatsang, a former advisor to the Tibetan prime minister in exile, remembers the shock of realizing that he'd been hacked. In July 2012, Aukatsang sent an email to a U.S. senator to arrange a meeting for the prime minister, Lobsang Sangay. The following morning, the senator received a surprise call from the Chinese Embassy in Washington, urging her not to attend. The meeting ultimately proceeded as planned. "But the bigger point is that they knew -- that exchange got intercepted," Aukatsang said. "You wonder what more you can do to feel safe. There's a real sense of being at risk, of being watched."
MORE THAN HALF THE CTA'S COMPUTERS contain some sort of malware, estimates the government in exile's press officer, Tsering Wangchuk. "Most of the key computers in our city, in Dharamsala, are in some way compromised," he says. The administration's technical staff of 13 spends much of its time simply trawling through hard disks, finding and eliminating malicious code. "They go after us all the time, diligently," said another administration employee who requested anonymity. "If with every 100,000 attempts they have one success, they use that one success to exploit everything that they can."
Cybersecurity experts call this "advanced persistent threat" (APT) -- a constant onslaught of targeted attacks requiring resources that are normally unavailable to individual hackers. "Dharamsala is ground zero for advanced persistent threat, really," says Greg Walton, a doctoral candidate at Oxford University's Center for Doctoral Training in Cyber Security. Walton traveled to Dharamsala in 2008 to help the Dalai Lama's private office better understand what, and who, had been compromising its systems. His team discovered that the most likely culprit was a shadowy hacker group responsible for a series of network intrusions that American investigators had dubbed "Byzantine Hades." The group, according to U.S. State Department cables released by WikiLeaks, had ties to a unit of the People's Liberation Army, China's military, based in the southwestern Chinese city of Chengdu.
Many Dharamsala-based Tibetan NGOs, Walton says, have been attacked by groups that are better known for infiltrating Western corporations, military contractors, and government agencies. One, dubbed "APT1" by cybersecurity firm Mandiant, is an elite cyber-espionage outfit affiliated with the Chinese military. Another group is a corporate espionage unit that allegedly stole secret documents and formulas from major global chemical companies in 2011 in an attack campaign dubbed "Nitro" by computer security firm Symantec. "In the most pessimistic light, there's very little that the Tibetans can do in exile, because they're so underresourced," says Walton. "If you have a situation where the State Department or the Pentagon is being compromised by the same groups, what hope do refugees in the foothills of the Himalayas have to deal with that problem?" He describes China's APT strategy as gathering "a thousand grains of sand," hoping that some piece of information, no matter how small, will bear strategic value.
PERHAPS AN EVEN MORE PERNICIOUS THREAT to Tibetan cybersecurity is WeChat, a Chinese smartphone app that combines features from Instagram, Skype, and Facebook. The program has more than 500 million users, with 100 million of them outside China; its popularity has exploded in Dharamsala over the past few years as an easy way for refugees to contact relatives back home. "All of my friends here use WeChat," says Tashi Nangyal, a 22-year-old Tibetan refugee who fled to India on foot across the Himalayas. "Since Tibetans inside Tibet are all using WeChat, we don't think of using any alternatives."
The program was developed by Tencent, a Shenzhen-based Internet empire that, like all major Chinese Internet companies, is rumored to enjoy close ties to the country's leadership. "From Tibetan civil society's point of view, WeChat is itself malware -- it's malicious," says Walton. "All of the traffic is being channeled through Shanghai. It's presumably being piped into China's equivalent of PRISM," he adds, referring to the U.S. National Security Agency's top-secret surveillance program, which was exposed by leaker Edward Snowden. Advocacy groups reported this summer that two monks in Tibetan areas of China were arrested after posting pictures of self-immolation protests to WeChat. One received a six-year prison sentence; the other will likely spend the rest of his life in jail. Tencent did not reply to a request for comment.
In recent years, short stints in Dharamsala have become a popular way for security experts to analyze little-known cyberattacks, says Shishir Nagaraja, a computer scientist at the University of Birmingham who has also aided the Dalai Lama's private office. "You don't have to pay people for this stuff. Some of the brightest minds at Cambridge will be more than happy to contribute to securing the Tibetans' Internet freedom rights," he says. Many are young, left-leaning idealists who are attracted by the novelty of the job. Yet "it's a very temporary arrangement," he said. Most stay for only two or three years, while China's hacking never ends.
"We are very vulnerable," says Tenzin Paldon, the Dharamsala-based editor in chief of Voice of Tibet, a radio station that broadcasts Tibet news into China via shortwave radio. Paldon's personal email account has been hacked; the broadcaster's website has been crippled repeatedly. Yet Paldon refuses to be cowed. If Tibetans continue to self-immolate, she says, she will continue to report their stories. "I think it's our duty to spread the word about what these people did, and why they're doing it, to the outside world."
Meanwhile, Dharamsala's Tibetan community has formed an incipient defense. In March, cyberactivists launched a secure Tibetan-language messaging application called YakChat. And the Tibetan government in exile recently procured a grant to lay new cables, update its servers, and train new staff, sources say, though they're keeping the details under wraps.
"What we're trying to do now is provide more opportunities for Tibetans themselves to become experts in cybersecurity," says Walton, the Oxford researcher. Many students at the Tibetan Children's Village, the leafy school campus where Sither gave his presentation, will go on to work in advocacy NGOs; some will join the CTA. Most are learning about cybersecurity for the first time, and experts hope that the lessons will resonate. "It's a gradual process, teaching people to guard their privacy. The Internet is quite a new thing in their lives," said Phuntsok Dorje, the head of the school's computer program.
IT'S TWILIGHT BY THE TIME SITHER FINISHES his PowerPoint presentation, and the students file out of the auditorium and into the cool, damp air of the rainy season. Nangyal, the 22-year-old refugee, says that students are not allowed to keep phones on campus and that he can only contact his family on holidays. The assembly has made him reflective. "I used to talk about His Holiness the Dalai Lama on WeChat," he says, his brow furrowed. I ask him whether he now understands that the Chinese may be listening in. Maybe he'll download a Korean messaging app, he offers, to make his communications less traceable. Or maybe, from now on, he'll just be more careful about what he says.